Silence gets you nowhere in a data breach

Your victim status won’t last long if your response is nonexistent

In cybersecurity, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organizations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches.

LastPass has refused to answer any of TechCrunch+’s questions since it confirmed in December that hackers had exfiltrated customers’ encrypted password vaults a month earlier. Fortra is not only declining to answer our questions but also concealed details of a recent security breach — potentially affecting upwards of 130 of its corporate customers — behind a paywall on its website.

TechCrunch+ has learned that LastPass has already lost customers because of its silent-treatment approach to its breach. And Fortra is likely to face a similar fate after TechCrunch+ heard from multiple customers that they only learned that their data had been stolen after receiving a ransom demand; Fortra had assured them that the data was safe.

Smaller companies, too, are employing a silent-treatment approach to data breaches: Kids’ tech coding camp iD Tech failed to acknowledge a January breach that saw hackers access the personal data of close to 1 million users, including names, dates of birth, passwords stored in plaintext, and about 415,000 unique email addresses. Concerned parents told us at the time that they only became aware of the breach after receiving a notification from a third-party data breach notification service.

Cyberattacks are now a fact of doing business: Almost half of U.S. organizations suffered a cyberattack in 2022, and attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies. This means that your startup is likely to get compromised at some point.

Transparency is key

While getting hacked can be forgivable, an organization’s victim status will not last long if it fails to respond appropriately or at all — as demonstrated by LastPass and Fortra.

“Breaches themselves are less of a concern than how an organization responds to, recovers from, and communicates about a breach,” Katie Moussouris, founder and CEO of Luta Security, told TechCrunch+. “From startups to larger organizations experiencing a breach, the move that inspires trust is the one that is transparent about what happened and how they intend to improve.”

Transparency and trust go hand-in-hand, and trust is one of the most important aspects of a successful business. In order to keep your customers on-side, it’s essential to be as open as possible about a data breach. If you don’t — and news of the breach comes to light — you’re going to erode trust with your customers.

There’s no need to try and spin the situation or to attempt to downplay the severity of the incident; just share what you know, what you don’t know, and what you are doing about it.

To do so confidently, it’s also vital that you make sure you have the right technology in place to discover the breach and contain it quickly. If your startup is able to see risks and isolate quickly, then it will be more confident in its communication.

“In one case, I had a multi-billion-dollar health care organization, and they have no idea how something progressed through its network,” Jake Williams, former NSA hacker and incident responder, told TechCrunch+. “At the same time, they’ve got a couple of hundred customers they should be notifying.”

And so is being quick

Urgency is paramount. Failing to confirm a data breach promptly risks diminishing customer confidence and reputational harm that may be challenging to restore. This is particularly true if customer action is required: Users may need to respond on their end, such as by changing passwords or monitoring for any suspicious activity. By revealing data breaches quickly, you’re giving your clients the best chance to protect themselves from further acts of fraud.

“You’ve got the folks that don’t disclose or particularly disclose to meet some minimum legal requirement but don’t provide enough detail for an organization to evaluate the risk,” Williams said. “These downstream organizations end up spending a lot of time and money investigating their exposure.”

Being slow to respond to a data breach also runs the risk of regulatory action. While there is no federal data breach notification law in the United States, most states have data breach reporting laws for consumer information, which means your organization could face legal consequences and regulatory fines. In some cases, a failure to disclose a data breach in a timely way may well fall under the radar of the Federal Trade Commission or U.S. Securities and Exchange Commission, which can bring additional actions.

Take the 2016 Uber data breach: Uber paid hackers $100,000 to delete the data and stay quiet about the incident instead of disclosing the breach. Uber finally disclosed the breach in November 2017, but its delay in doing so led to lots of repercussions, including fines, sanctioned security protocols and criminal charges against its then-cybersecurity chief.

Human after all

Not only is your startup likely to be breached, but it’s likely to be breached as a result of human error.

According to a study by IBM, 95% of cybersecurity breaches result from human error, be it a coding mistake or clicking on a link in a particularly convincing phishing email.

Just as falling for these attacks is a very-human-thing, responding to them should be too: Be transparent, be helpful and compassionate, and please don’t ignore our emails.